Defect on Docs page: Release Channels and Signing Keys
Hi
On this page: https://f-droid.org/docs/Release_Channels_and_Signing_Keys/?title=Release_Channels_and_Signing_Keys
The steps to "establish trust" in the PGP public key used to derive the PGP signature of the main F-Droid APK download, has an issue.
This line:
# verify against the key that is embedded in this page wget -O - https://f-droid/docs/Release_Channels_and_Signing_Keys/ | openssl x509 -inform pem -outform der -out docs.der
Should be:
# verify against the key that is embedded in this page wget -O - https://f-droid.org/docs/Release_Channels_and_Signing_Keys/ | openssl x509 -inform pem -outform der -out docs.der
(Missing ".org")
Further, those steps stop with importing the now "trusted" public key, but stops short of showing you how to actually verify the downloaded APK against the published PGP signature. I understand the topic of that Docs page is "Signing Keys", but I could only find anecdotal steps in forums on how to actually verify the signature of the APK.
If there is a Docs page for this, might be usefully to add a link to it on the "Release Channels and Signing Keys" page.
What is missing is the verification step, after importing the public key:
gpg --verify FDroid.apk.asc FDroid.apk
Thanks